1、Need for a standardization of Ethernet firewalls in the automotive worldPresenter:Dr.Siddharth Shukla 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as well as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|
2、23.02.20232Firewalling in automotive 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as well as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.2023Trends in EE-architectureFirewalling in automotiveInfot
3、ainment&In-vehicle experienceAdas&highlyautomated drivingPowertrain&vehicle dynamicsBody&comfortConnectivitySERVICE ORIENTEDGATEWAYDOMAINCONTROLLERDOMAINCONTROLLERDOMAINCONTROLLERDOMAINCONTROLLERDOMAINCONTROLLERCENTRALBRAIN(S)ZONALGATEWAYZONALGATEWAYZONALGATEWAYZONALGATEWAYUnfit to future mobilityEn
4、abling autonomous vehicleEnabling software defined vehicleLogical restructure|DomainsPhysical restructure|Zones Shorter vehicle wiring harness High bandwidth communication link Re-use of hardware and software Improved security and bandwidth Limited cross domain communication 3 2023 ETAS GmbH.All rig
5、hts reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as well as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.20234OEM SPECIFIC ARCHITECTURAL TRANSITIONFirewalling in automotiveTransition is different from OEM to OEM Starting fr
6、om different base architectures Different steps Hybrid solutions as the first step to zonal are very common IVI and ADAS are not included in physical zones and staying separateFull ZoneGATEWAYDRIVETRAINCONNECTIVITYBODYVehicle ComputerOEM AOEM CPartial ZoneFull ZoneADASIVIConnectivity+IVIADASZonal Mo
7、duleZonal ModuleZonal ModuleZonal ModuleADASConnectivity+IVIVehicle ComputerZonal ModuleZonal ModuleZonal ModuleZonal ModuleADASConnectivity+IVIVehicle ComputerDomainClusteredDomain 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as well
8、as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.20235Fulfill legislation requirement GBT in China UNECEAdding security check point at entry to stop unauthorized messages(defence in depth)We learned from IT world,use of ethernet requires firewallNeed for firewall
9、 in vehiclesFirewalling in automotiveIDSNormal message flowETH messageETH messageTimestampEvent reportETH messageECUIntrusion detection systemFirewallETH messageECUETH messageFirewallAllowmessageDrop message,create event report 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitat
10、ion,reproduction,editing,distribution,as well as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.20236 Distribution of domain specific sensor and actuator connectivity over the car to the zonal edge devices Domain functionality handled in the central compute,someti
11、mes also local in the edges or distributed The connections from the edge get translated/packed into Ethernet frames and transmitted over the ethernet backbone Separation of compute and communication needs to happen in the center and in the edges Summary communication policy is now complex and distri
12、buted(not logical but based on zones)New challenges when moving towards modern ee-architectureFirewalling in automotive 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as well as in the event of applications for industrial property rights
13、.ETAS-SEC/XSF-EU2|23.02.20231.Firewall and IDS on Vehicle computer Network separation using VLANs Firewall cross domain traffic Firewall end-to-end traffic Deep packet inspection for some frames Intrusion detection for ethernet2.Firewall on Ethernet switch Network separation using VLANs between doma
14、ins A,B,C,D and E Firewall cross domain traffic at high speed between domains A,B,C,D and E Access control for vehicle server3.Firewall and IDS on Domain controller Access Control and Firewall zonal traffic4.Firewall on end ECUs Firewall for specific applications like EV charging ECUFirewalling in a
15、utomotiveKey Ethernet use-cases for zonal E/E-architectureM1234BCDEAVehicleComputer/ServerDomain Controller/Zonal GatewaysECUSensor/ActuatorEthernetCANLINVSOC1234Ethernet Switch 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as well as i
16、n the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.20238ChallengesFirewalling in automotiveNo standardized way to configure a firewallHigh synchronization effort between OEM/Tier1,configuration process prone to errorsNo harmonized connection to the IDSLack of standardi
17、zed security events leads to high analysis efforts in the VSOCNo agreed minimal set of firewall functionalityHigh efforts in SW development to accommodate for all OEM specifications 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as well
18、as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.20239Firewall standardization in AUTOSARAddressing the challenges 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as well as in the event of application
19、s for industrial property rights.ETAS-SEC/XSF-EU2|23.02.2023Firewall in AUTOSARAUTOSAR overviewWhat is AUTOSAR?AUTOSAR is a standardized middleware for automotive ECUs.Classic AUTOSAR:Safety,real-time OS CsAdaptive AUTOSAR:Performance,flexible safety PsWhy use AUTOSAR to address the firewall challen
20、ges?Widely used in the automotive industry AUTOSAR toolchain can be used for firewall configuration AUTOSAR is industry consortium Final solution aligned with needs of automotive industry 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as
21、 well as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.2023Firewall in AUTOSARFirewall in AUTOSARGoals/Use-Cases Filtering of incoming/outgoing communication according to given ruleset Stateless filtering Stateful filtering Deep packet inspection(e.g.,SOME/IP,DoI
22、P)Standardization language for firewall filter rule configuration Vehicle state sensitive firewall rule sets Standardized security events for IdsMApplicable AUTOSAR standards All AUTOSAR(Classic/Adaptive)standards applicable Focus first on Adaptive Classic/Switches in later step Standardized firewal
23、l configuration language available in ARXML Can also be used in non-AUTOSAR projectsAUTOSAR Ethernet FirewallEthernet TRX 1Ethernet TRX 2Ethernet TRX 3AUTOSAR TCP/IP StackApplication Software 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distributio
24、n,as well as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.202312Firewall available for Adaptive AUTOSAR withthe AUTOSAR R22-11 release!Firewall functionality can be found in the newfunctional cluster ara:fw Lets dive deeper into the specification Firewall archit
25、ecture Standardization language for firewall filter rule configuration Vehicle-state-based packet inspection Connection to the IDPS ecosystemHost firewall in Adaptive AUTOSARFirewall in AUTOSAR 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribut
26、ion,as well as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.202313Firewall in Adaptive AUTOSARFirewall in AUTOSARara:fwAdaptive AUTOSAROperating systemFirewall engineNetwork stackSet vehiclestateRaisesecurityeventsNetworkpacketsAUTOSAR ManifestFirewall ruleFirew
27、all ruleFirewall ruleFirewall engineconfigurationFirewall ruleFirewall ruleFirewall ruleara:fw is a management module:Takes firewall configuration in AUTOSAR format Configures underlying firewall engine with firewall rulesFirewall engine is typically integrated on OS level Linux:iptables QNX:pfilter
28、 Proprietary firewall engines also possibleInterfaces of ara:fw Setting the vehicle state Raising security events 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as well as in the event of applications for industrial property rights.ETAS-
29、SEC/XSF-EU2|23.02.202314Challenge No common firewall configuration scheme High effort for harmonizing OEM requirement with firewallconfiguration Requirements translation process prone to errorsAUTOSAR firewall solution Introduce common language for configuring firewalls Standardized ARXML exchange f
30、ormat AUTOSAR tooling support allows for easy allowlistgeneration from communication matrixFirewall configuration language defined in the AUTOSAR manifest specification as UML Lets have a detailed lookStandardized filter rule configurationFirewall in AUTOSARSource:AUTOSAR Specification of Manifest 2
31、023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as well as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.202315Standardized filter rule configurationFirewall in AUTOSARNetwork packet patternFirewall act
32、ionAllow/block packetData link layerpatternNetwork layerpatternTransport layerpatternApplication layerpatternPayload Byte patternRate limitingBased on leaky bucketalgorithmData link layerpatternSource MAC addr.Dest.MAC addr.EtherTypeVLAN IDIPv4 patternSource IP addr.Dest.IP addr.TTLIP Header fieldsI
33、Pv6 patternICMP patternUDP patternTCP patternSource port numberDest.Port numberMax number ofallowed connectionsTimeout of open connectionsState managementbased on TCP flagsSOME/IP patternHeader fieldsService IDMethod IDClient IDLength verificationSOME/IP SD patternDDS patternDoIP patternStatefulpack
34、et inspectionPayload byte patternByte valueOffsetDeep packet inspection 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as well as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.202316Challenge Network
35、traffic depends strongly on vehicle state e.g.driving,parking,in a diagnostic session Specific network packets should only be allowed when the vehicle is in thecorrect state Example:Diagnostic communication should onlybe allowed when the vehicle is in a diagnostic sessionAUTOSAR firewall solution De
36、fine set of project-specific vehicle states Connect firewall rules to vehicle states Allow switching of vehicle states via applicationVehicle state dependent filteringFirewall in AUTOSARLegendDriving state communicationDiagnostic communication 2023 ETAS GmbH.All rights reserved,also regarding any di
37、sposal,exploitation,reproduction,editing,distribution,as well as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.202317How does the firewall accomodate state switches?Multiple firewall rules can be grouped in firewall vehiclestates An application can switch between
38、 different states usingthe ara:fw:FirewallStateSwitchInterface ara:fw updates the firewall engine configuration on theflyImportant:Vehicle states are not standardized,but canbe defined by every user according to their needsVehicle state dependent filteringFirewall in AUTOSARara:fwAdaptive AUTOSAROpe
39、rating systemFirewall engineNetwork stackSet vehicle state:Diagnostic sessionNetworkpacketsAUTOSAR ManifestFirewall engineconfigurationDrivingFirewall ruleFirewall ruleFirewall ruleDiag sessionFirewall ruleFirewall ruleFirewall ruleDiag sessionFirewall ruleFirewall ruleFirewall rule 2023 ETAS GmbH.A
40、ll rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as well as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.2023Classic/Adaptive AR ECU(e.g.Gateway)Classic/Adaptive AR ECUIDS-ManagerTelematics Control UnitConnection to t
41、he IDPS ecosystemFirewall in AUTOSARIDS-ManagerIDS-ManagerIDSSensorsIDS SensorsIDS SensorsIDS SensorsIdentify security incidents on host and network levelIn-vehicle distributed IDSCollects security incidents,performs pre-analysis and communicates with the backendEthernet IDSAUTOSARFirewallIDS-Report
42、erSmart SensorsIDS-CAN&IDS-ETH function as smart“IDS Sensors,detecting anomalies on CAN and automotive Ethernet/IPVehicle SOCTeam of security experts analyzes security events and decides about countermeasures18 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,
43、editing,distribution,as well as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.202319ChallengeOnly few AUTOSAR-standardized security events available OEMs define their own Ethernet security events Non-uniform security events lead to high efforts in the VSOCAUTOSAR
44、 firewall solution Provide standardized set of network security events Standardize associated context data for efficient analysis in VSOC Uniform,standardized security event landscapeResult 15 new security events for the firewall defined Security events based on individual protocols and other firewa
45、ll functionality(e.g.rate limit reached)Standardized context data:Network packet header provided as context datafor analysis in VSOCConnection to IDPS ecosystemFirewall in AUTOSARSource:AUTOSAR Specification of Firewall in Adaptive Platform 2023 ETAS GmbH.All rights reserved,also regarding any dispo
46、sal,exploitation,reproduction,editing,distribution,as well as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.202320Firewall standardization in AUTOSARWhat else is there to come?2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproductio
47、n,editing,distribution,as well as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.2023BCDEAVehicleComputer/ServerDomain Controller/Zonal GatewaysECUSensor/ActuatorEthernetCANLINVSOC1234Ethernet SwitchRecap:Future zone-based E/E-architectureCurrent status of firewal
48、l standardizationM Addressed for Adaptive AR!Open for Classic AR Addressed in currentspecification Configuration via standardizedlanguage possible!No functional specification forfirewall on switches!Open1.Firewall and IDS on Vehicle computer Network separation using VLANs Firewall cross domain traff
49、ic Firewall end-to-end traffic Deep packet inspection for some frames Intrusion detection for ethernet2.Firewall on Ethernet switch Network separation using VLANs between domains A,B,C,D and E Firewall cross domain traffic at high speed between domains A,B,C,D and E Access control for vehicle server
50、3.Firewall and IDS on Domain controller Access Control and Firewall zonal traffic4.Firewall on end ECUs Firewall for specific applications like EV charging ECU12341234 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as well as in the even
51、t of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.202322Current focus of workFirewall standardization for Classic AUTOSARGoalSame feature set as in Adaptive AUTOSAR Filtering of network traffic(stateless,stateful deep packet inspection)Re-usage of standardized firewall configur
52、ation language Dynamic firewall rules based on vehicle state Security events raised by firewallRelease timelineNext AUTOSAR release R23-11Outlook:Classic AUTOSARFirewall standardization in AUTOSARAUTOSAR Ethernet FirewallEthernet TRX 1Ethernet TRX 2Ethernet TRX 3AUTOSAR TCP/IP StackApplication Softw
53、are 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as well as in the event of applications for industrial property rights.ETAS-SEC/XSF-EU2|23.02.202323Modern switches with dedicated CPU can run AUTOSAR Allows re-usage of existing AUTOSAR
54、 modules Allows leveraging of AUTOSAR tooling support The AUTOSAR firewall specification shall also support the deployment on switchesAdditional features for switch deployment Configuration of filtering mechanisms in switch core(e.g.(T)CAM rules)Extension of firewall configuration language to includ
55、e(T)CAM rule configurationRelease timelineNext AUTOSAR release R23-11Outlook:Firewall on switchesFirewall standardization in AUTOSARFirmware UpdateSecure BootAVB Stream Config.gPTPStackSwitch CPUClassic AUTOSARAUTOSAR FirewallAUTOSAR ETH StackFirewall Switch ConfigurationFirewall PrefiltersFirewall
56、VLAN ConfigurationMAC Table ConfigurationSwitch CoreInternalPortRegistersPort 1Port 2Port 3Port 4Port 5Port 6Port 7Port 8SMIConfigurationSPIFLASH 2023 ETAS GmbH.All rights reserved,also regarding any disposal,exploitation,reproduction,editing,distribution,as well as in the event of applications for
57、industrial property rights.ETAS-SEC/XSF-EU2|23.02.202324Increasing need for firewall in automotive,but deploymentoftentimes cumbersome High-effort alignment process,prone to errorsAUTOSAR firewall standardization addresses this issue byspecifying a common language for firewall configurationAdditiona
58、l firewall features Stateless,stateful and deep packet inspection Filtering based on vehicle state Standardized security events for IDSSpecification available for Adaptive AUTOSAR,Classic AUTOSAR and switches are planned for the next release R23-11Summary/ConclusionFirewall standardization in AUTOSARAUTOSAR Ethernet FirewallEthernet TRX 1Ethernet TRX 2Ethernet TRX 3AUTOSAR TCP/IP StackApplication SoftwareThank you!